Service abuse: IBM IAM account notification with callback scam indicators

calendar Jun 16, 2026  ยท
Share on: linkedin copy

Detects inbound messages abusing IBM's IAM account notification address that contain callback scam intent patterns identified through natural language analysis.

Sublime rule (View on GitHub)

 1name: "Service abuse: IBM IAM account notification with callback scam indicators"
 2description: "Detects inbound messages abusing IBM's IAM account notification address that contain callback scam intent patterns identified through natural language analysis."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "ibmacct@iam.ibm.com"
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "callback_scam" and .confidence != "low"
10  )  
11attack_types:
12  - "Callback Phishing"
13tactics_and_techniques:
14  - "Impersonation: Brand"
15  - "Social engineering"
16  - "Out of band pivot"
17detection_methods:
18  - "Sender analysis"
19  - "Content analysis"
20  - "Natural Language Understanding"
21id: "7c4ef255-9063-54a8-99c2-9e20382ef96d"
to-top